/src/kea-fuzzer/fuzz_hook_lease_query6.cc

Source
// Copyright (C) 2025 Ada Logcis Ltd.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
////////////////////////////////////////////////////////////////////////////////
#include <config.h>
#include <fuzzer/FuzzedDataProvider.h>

#include <dhcp/dhcp6.h>
#include <dhcp/pkt6.h>
#include <dhcp/libdhcp++.h>
#include <dhcp6/ctrl_dhcp6_srv.h>
#include <dhcpsrv/callout_handle_store.h>
#include <log/logger_support.h>
#include <util/filesystem.h>

#include <cstddef>
#include <cstdint>
#include <vector>
#include <list>
#include <memory>
#include <iostream>
#include <filesystem>
#include <fstream>
#include <string>
#include <cstdio>
#include <cstdlib>

#include "helper_func.h"

using namespace isc::dhcp;
using namespace isc::hooks;
using namespace isc::util;

extern "C" int buffer6_receive(CalloutHandle& handle);

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    if (size < 236) {
        // package size requires at least 236 bytes
        return 0;
    }

    // Force DUID file to /tmp
    setenv("KEA_DHCP_DATA_DIR", "/tmp", 1);

    // Initialise logging
    setenv("KEA_LOGGER_DESTINATION", "/dev/null", 0);
    setenv("KEA_LOCKFILE_DIR", "/tmp", 0);
    setenv("KEA_PIDFILE_DIR", "/tmp", 0);
    setenv("KEA_LFC_EXECUTABLE", "/bin/true", 0);
    try {
        isc::log::initLogger("fuzzer");
        isc::process::Daemon::loggerInit("fuzzer", false);
        isc::process::Daemon::setDefaultLoggerName("fuzzer");
    } catch (...) {
        // Early exit if logging initialisation failed
        return 0;
    }

    Pkt6Ptr pkt;

    // Package parsing
    try {
        pkt = Pkt6Ptr(new Pkt6(data, size));
        pkt->unpack();
    } catch (...) {
        // Early exit if package parsing failed.
        return 0;
    }

    // Configure random value in packet
    FuzzedDataProvider fdp(data, size);
    uint8_t typeChoice = fdp.ConsumeIntegralInRange<uint8_t>(0, 37);
    pkt->setType(static_cast<DHCPv6MessageType>(typeChoice));

    CalloutHandlePtr handle = getCalloutHandle(pkt);

    // Fuzz buffer6_receive
    try {
        handle = getCalloutHandle(pkt);
        handle->setArgument("query6", pkt);
        buffer6_receive(*handle);
    } catch (const isc::Exception& e) {
        // Slient exceptions
    } catch (const boost::exception& e) {
        // Slient exceptions
    }

    // Clean handle to avoid mem leak
    if (handle) {
        handle->deleteAllArguments();
    }

    return 0;
}

Line	Count	Source
1		// Copyright (C) 2025 Ada Logcis Ltd.
2		//
3		// This Source Code Form is subject to the terms of the Mozilla Public
4		// License, v. 2.0. If a copy of the MPL was not distributed with this
5		// file, You can obtain one at http://mozilla.org/MPL/2.0/.
6		////////////////////////////////////////////////////////////////////////////////
7		#include <config.h>
8		#include <fuzzer/FuzzedDataProvider.h>
9
10		#include <dhcp/dhcp6.h>
11		#include <dhcp/pkt6.h>
12		#include <dhcp/libdhcp++.h>
13		#include <dhcp6/ctrl_dhcp6_srv.h>
14		#include <dhcpsrv/callout_handle_store.h>
15		#include <log/logger_support.h>
16		#include <util/filesystem.h>
17
18		#include <cstddef>
19		#include <cstdint>
20		#include <vector>
21		#include <list>
22		#include <memory>
23		#include <iostream>
24		#include <filesystem>
25		#include <fstream>
26		#include <string>
27		#include <cstdio>
28		#include <cstdlib>
29
30		#include "helper_func.h"
31
32		using namespace isc::dhcp;
33		using namespace isc::hooks;
34		using namespace isc::util;
35
36		extern "C" int buffer6_receive(CalloutHandle& handle);
37
38	3.57k	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
39	3.57k	if (size < 236) {
40		// package size requires at least 236 bytes
41	30	return 0;
42	30	}
43
44		// Force DUID file to /tmp
45	3.54k	setenv("KEA_DHCP_DATA_DIR", "/tmp", 1);
46
47		// Initialise logging
48	3.54k	setenv("KEA_LOGGER_DESTINATION", "/dev/null", 0);
49	3.54k	setenv("KEA_LOCKFILE_DIR", "/tmp", 0);
50	3.54k	setenv("KEA_PIDFILE_DIR", "/tmp", 0);
51	3.54k	setenv("KEA_LFC_EXECUTABLE", "/bin/true", 0);
52	3.54k	try {
53	3.54k	isc::log::initLogger("fuzzer");
54	3.54k	isc::process::Daemon::loggerInit("fuzzer", false);
55	3.54k	isc::process::Daemon::setDefaultLoggerName("fuzzer");
56	3.54k	} catch (...) {
57		// Early exit if logging initialisation failed
58	0	return 0;
59	0	}
60
61	3.54k	Pkt6Ptr pkt;
62
63		// Package parsing
64	3.54k	try {
65	3.54k	pkt = Pkt6Ptr(new Pkt6(data, size));
66	3.54k	pkt->unpack();
67	3.54k	} catch (...) {
68		// Early exit if package parsing failed.
69	1.54k	return 0;
70	1.54k	}
71
72		// Configure random value in packet
73	1.99k	FuzzedDataProvider fdp(data, size);
74	1.99k	uint8_t typeChoice = fdp.ConsumeIntegralInRange<uint8_t>(0, 37);
75	1.99k	pkt->setType(static_cast<DHCPv6MessageType>(typeChoice));
76
77	1.99k	CalloutHandlePtr handle = getCalloutHandle(pkt);
78
79		// Fuzz buffer6_receive
80	1.99k	try {
81	1.99k	handle = getCalloutHandle(pkt);
82	1.99k	handle->setArgument("query6", pkt);
83	1.99k	buffer6_receive(*handle);
84	1.99k	} catch (const isc::Exception& e) {
85		// Slient exceptions
86	0	} catch (const boost::exception& e) {
87		// Slient exceptions
88	0	}
89
90		// Clean handle to avoid mem leak
91	1.99k	if (handle) {
92	1.99k	handle->deleteAllArguments();
93	1.99k	}
94
95	1.99k	return 0;
96	1.99k	}

Coverage Report

Created: 2025-11-16 07:29